Fully chained kernel exploit for the PS Vita on firmwares 3.65-3.73
h-encore², where h stands for hacks and homebrews, is the fourth public jailbreak for the PS Vita™ which supports the newest firmwares 3.65-3.73. It allows you to make kernel- and user-modifications, change the clock speed, install plugins, run homebrews and much more.
270 MBof free space.
Download h-encore² and extract it on your computer.
Download the vulnerable DRM-free demo of bitter smile (yes, that's the user entry point).
Extract the demo using this command in terminal/cmd:
pkg2zip -x PATH_OF_PKG
This will output the files to
Copy the contents of the output
app/PCSG90096to the folder
h-encore-2/app/ux0_temp_game_PCSG90096_app_PCSG90096(such that the files
VITA_PATH.TXTare within the same folder).
Copy the license file
app/PCSG90096/sce_sys/package/temp.binto the folder
h-encore-2/license/ux0_temp_game_PCSG90096_license_app_PCSG90096and rename the just pasted file
6488b73b912a753a492e2714e9b38bc7.rif. Be careful with the file extension, it should not be
.rif.bin. Again, this file should be in the same folder as
Start qcma and within the qcma settings set the option
Use this version for updatesto
FW 0.00 (Always up-to-date)to spoof the System Software check.
Launch Content Manager on your PS Vita and connect it to your computer, where you then need to select
PC -> PS Vita System, and after that you select
Applications. If you see an error message about System Software, you should simply reboot your device to solve it (if this doesn't solve, then put your device into airplane mode and reboot). If this does still not work, then alternatively set DNS to
18.104.22.168to block updates. This should create a folder at
PS Vita/APP/xxxxxxxxxxxxxxxxon your computer (see qcma settings where this folder is), where the folder
xxxxxxxxxxxxxxxxrepresents the AID (account ID that is 16 characters long) that you need to insert here. If the AID is valid, it will yield a key that you can now use to encrypt the demo.
Change directory to the
h-encore-2folder in terminal/cmd and use the key to encrypt all folders using (make sure you don't confuse the key with the AID, the key is 64 characters long!):
psvimg-create -n app -K YOUR_KEY app PCSG90096/app psvimg-create -n appmeta -K YOUR_KEY appmeta PCSG90096/appmeta psvimg-create -n license -K YOUR_KEY license PCSG90096/license psvimg-create -n savedata -K YOUR_KEY savedata PCSG90096/savedata
h-encore-2/PCSG90096should then contain
sce_sysand all 4 folders from above, and within these folders you should find files called
Xhas the same name as the folder. Backup this folder, since if everything has been done correctly, you don't need to redo all the steps to install it onto another device with the same PSN account.
Copy the folder
PS Vita/APP/xxxxxxxxxxxxxxxx/PCSG90096and then select
Refresh databasein qcma.
The h-encore² bubble with a size of around
243 MBshould now appear in the Content Manager and that's what you finally need to transfer to your PS Vita. If the size does not match or you get the error
C2-12858-4, then it's because you did not do it correctly! Please re-read the instructions more carefully then. If you get the error
You can only copy applications that your account is the owner of, then it's because you have used an AID that is not of your account, go back to step 8.
Launch h-encore² to exploit your device (if a message about trophies appears, simply click yes). The screen should first flash white, then purple, and finally open a menu called h-encore bootstrap menu where you can download VitaShell and install HENkaku. If it prompts the error
Cannot start this application. C0-11136-2, then it's because you did not do step 6. correctly.
Enjoy. Note that you have to relaunch the exploit everytime you reboot or shutdown your device. Of course if you only put your device into standby mode, you don't need to relaunch.
HENkaku Settings, then select
Enable unsafe homebrews. This will grant you full permission in VitaShell.
If you like my work and want to support future projects, you can make a donation: